cracking a domain cachedump
#1
I obtained a Domain Cache dump via cachedump SYSTEM SECURITY. I ran oclhashcat on the hash using the hash type 1000 for NTLM. Oclhashcat picked up the hash, but didn't match any passwords. Since then I noticed that hash type 1100 is for Domain Cached Credentials. Do I need to re-run the oclhashcat using 1100 or would the 1000 work if I had the right password?
#2
1100 works with the format hash:username
1000 is pure NTLM hash.
#3
When I processed the file using hash type 1000 I used the --username parameter and Oclhashcat recognized the hashes that were in the file, but it didn't crack it. I ran the same scan using hash type 1100 and oclhashcat cracked one of the hashes.

Can you clear me up on why the hash type 1000 would scan but not crack?
#4
Because you used the --username switch which ignores what is before or after a colon :
#5
I guess I didn't make my question clear enough. I will rephrase it. If I have a hash from a Domain Credentials cache dump, can I crack it by using either hash type 1000 or 1100? My testing shows that cracking via type 1100 is about 75% slower.

The reason I ask is because Oclhashcat accepted the hash when I used type 1000, but it didn't crack anything.
#6
NTLM hashes are 32 chars long, without username, and cracked with mode 1000.

"it didn't crack anything" -> not the problem of oclhashcat ! it's yours problem : bad wordlist, bad bruteforce mask, etc.
#7
(11-08-2014, 04:44 AM)slawson Wrote: If I have a hash from a Domain Credentials cache dump, can I crack it by using either hash type 1000 or 1100? My testing shows that cracking via type 1100 is about 75% slower.
Of course you can. And if this doesn't work try MD5. I mean, all those hash types are just to confuse users. Use whatever gives no error and is faster than the other modes!